b'                      UNCLASSIFIED\n\n  United States Department of State\n\nand the Broadcasting Board of Governors\n\n         Of\xef\xac\x81ce of Inspector General\n\n\n\n\n\n                 Of\xef\xac\x81ce of Audits\n\n\n\nReview of the Information \n\n Security Program at the \n\n  Department of State\n\nReport Number AUD/IT-10-10, November 2009\n\n\n\n\n                                IMPORTANT NOTICE\n\n\n This report is intended solely for the of\xef\xac\x81cial use of the Department of State or the\n Broadcasting Board of Governors, or any agency or organization receiving a copy\n directly from the Of\xef\xac\x81ce of Inspector General. No secondary distribution may be\n made, in whole or in part, outside the Department of State or the Broadcasting\n Board of Governors, by them or by other agencies or organizations, without prior\n authorization by the Inspector General. Public availability of the document will be\n determined by the Inspector General under the U.S. Code, 5 U.S.C. 552. Improper\n disclosure of this report may result in criminal, civil, or administrative penalties.\n\n\n\n\n                        UNCLASSIFIED\n\n\x0c                                      UNCLASSIFIED\n\n\n\n\n\n                                                    United States Department of State\n                                                    and the Broadcasting Board of Governors\n\n                                                    Office of Inspector General\n\n\n\n\n                                         PREFACE\n\n\n     This report was prepared by the Office of Inspector General (OIG) pursuant to the Inspector\nGeneral Act of 1978, as amended, and Section 209 of the Foreign Service Act of 1980, as\namended. It is one of a series of audit, inspection, investigative, and special reports prepared by\nOIG periodically as part of its responsibility to promote effective management, accountability\nand positive change in the Department of State and the Broadcasting Board of Governors.\n\n     This report is the result of an assessment of the strengths and weaknesses of the office, post,\nor function under review. It is based on interviews with employees and officials of relevant\nagencies and institutions, direct observation, and a review of applicable documents.\n\n      The recommendations therein have been developed on the basis of the best knowledge\navailable to the OIG and, as appropriate, have been discussed in draft with those responsible for\nimplementation. It is my hope that these recommendations will result in more effective,\nefficient, and/or economical operations.\n\n     I express my appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                           Harold W. Geisel\n                                           Deputy Inspector General\n\n\n\n\n                                      UNCLASSIFIED\n\n\x0c                                            UNCLASSIFIED\n\n\n\n\n\n                                TABLE OF CONTENTS\n\n     Section                                                                                                         Page\n\nEXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 \n\nBACKGROUND. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5\n\nRESULTS OF 2009 FISMA REVIEW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7\n\n   Critical, Volatile, and Inherited Controls Were Not Adequately Identi\xef\xac\x81ed or \n\n   Tested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7\n\n   Connectivity Between Contractor Systems and Department Systems Was Not \n\n   Adequately Identi\xef\xac\x81ed, Tested, and Monitored . . . . . . . . . . . . . . . . . . . . . . . . . . . 9\n\n   Contingency Plan Toolkits Should be Improved . . . . . . . . . . . . . . . . . . . . . . . . 12\n\n   Management of Con\xef\xac\x81guration Management Controls Process Was Not \n\n   Adequate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15\n\n   Security Weaknesses in iPost Were Not Captured in the Department POA&M \n\n   Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17\n\n   Information Security Weaknesses Were Not Adequately Managed . . . . . . . . . . 19\n\n   IT Audit-Related Security Weaknesses Were Not Adequately Managed . . . . . . 21\n\n   Security Awareness Training Requirements Were Not Enforced . . . . . . . . . . . . 24\n\n   All Employees With Signi\xef\xac\x81cant Security Responsibilities Did Not Attend \n\n   Required Role-Based Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26\n\n   Inventory Records Were Materially Correct . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27\n\n   Incident Management Program Was Adequately Managed . . . . . . . . . . . . . . . . 29\n\n   Privacy Program Is in Compliance With Federal Requirements and OMB \n\n   Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30\n\nLIST OF RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33\n\nABBREVIATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37\n\nAPPENDICES\n\n   A. Scope and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39\n\n   B. Follow-up of Recommendations From the FY 2008 FISMA Report . . . . . . 41\n\n   C. Bureau of Information Resource Management Response . . . . . . . . . . . . . . . 45\n\n\n\n\n                                              UNCLASSIFIED\n\n\x0c                                             UNCLASSIFIED\n\n\n\n\n\n                             EXECUTIVE SUMMARY\n\n        In response to the Federal Information Security Management Act of 2002\n    (FISMA) (44 U.S.C. \xc2\xa7 3545 et seq.), the review team performed an independent\n    evaluation of the information security program at the Department of State (De-\n    partment). The review team reviewed the Department\xe2\x80\x99s progress in addressing\n    FISMA information management and information security program requirements\n    per FISMA and other statutory requirements, including Of\xef\xac\x81ce of Management and\n    Budget (OMB) guidance. The review team assessed performance in various ar-\n    eas, including certi\xef\xac\x81cation and accreditation (C&A), plan of action and milestones\n    (POA&M), security awareness and training, con\xef\xac\x81guration management, inventory,\n    incident reporting, and privacy requirements. Since FY 2008, the Department has\n    taken steps to improve management controls to include the following:\n\n         \xe2\x80\xa2 \t Updated Inventory Toolkits to provide guidance for inventory identi\xef\xac\x81cation,\n             analysis, and recording. Signi\xef\xac\x81cant improvements have been made to ensure\n             that inventory is materially correct.\n         \xe2\x80\xa2 \t Effectively managed a decentralized Incident Management Program and re-\n             ported incidents timely to the United States Computer Emergency Readiness\n             Team (US-CERT).\n         \xe2\x80\xa2 \t Updated the Privacy Impact Assessment template to make it compliant with\n             OMB guidance.\n\n         However, further improvements are needed. \n\n\n         \xe2\x80\xa2 \t Although the Annual Control Assessment Toolkit was modi\xef\xac\x81ed in the third\n             quarter of FY 2009 to include a de\xef\xac\x81nition of critical and volatile controls\n             and training was provided to systems owners, the Department should work\n             with systems owners to identify critical and volatile controls that should be\n             tested for each application and system; expand the quality control program\n             to include analysis of how well certi\xef\xac\x81cation testing addresses critical, volatile,\n             and inherited controls; and ensure all controls are tested over a 3-year C&A\n             cycle.\n         \xe2\x80\xa2 \t Although the C&A Toolkits were modi\xef\xac\x81ed in FY 2009 to instruct systems\n             owners on how to identify external and inter-connections agreements, the\n             Department should supplement the current information provided in the\n             C&A Main Toolkit and Inventory Toolkit to include additional guidance for\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009     1 .\n\n\n                                             UNCLASSIFIED\n\x0c                                   UNCLASSIFIED\n\n\n\n             annual testing of critical and volatile controls and be more proactive in re-\n             viewing Systems Security Plans and test results to ensure compliance with the\n             methodology in the C&A Toolkits.\n         \xe2\x80\xa2 \t Although the Contingency Plan (CP) Toolkits were created in FY 2009,\n             the Department should update them to include requirements that systems\n             owners should review and revise CP following CP failed test results, create\n             POA&M for failed CP control tests, and include veri\xef\xac\x81cation by the Of\xef\xac\x81ce of\n             Information Assurance that systems owners are complying with CP Toolkits\n             and methodology.\n         In addition, the Department should take the following actions:\n\n         \xe2\x80\xa2 \t Create an Information Security Architecture that outlines information secu-\n             rity responsibility for the Department\xe2\x80\x99s decentralized information security\n             environment.\n         \xe2\x80\xa2 \t Record and report systemic security weaknesses identi\xef\xac\x81ed through the iPost/\n             site Scoring process as POA&M actions to ensure that these weaknesses are\n             tracked, prioritized, and remediated.\n         \xe2\x80\xa2 \t Develop a method that ensures that each systems owner provides timely and\n             complete updates to the POA&M database. Validate the information in the\n             Department POA&M database, and review the Corrective Action Plan report\n             before it is submitted to OMB.\n         \xe2\x80\xa2 \t Create a Standard Operating Procedure for managing information technol-\n             ogy-related security weaknesses that are identi\xef\xac\x81ed during Chief Financial\n             Of\xef\xac\x81cers Act and Of\xef\xac\x81ce of Inspector General audits and for Government\n             Accountability Of\xef\xac\x81ce and OMB Circular A-123, Management\xe2\x80\x99s Responsibility for\n             Internal Control, reviews.\n         \xe2\x80\xa2 \t Implement methods to globally enforce the security awareness policies, and\n             enhance existing methods to identify users who should take the Cyber Secu-\n             rity Awareness Training Course.\n         \xe2\x80\xa2 \t Improve methods to identify individuals with signi\xef\xac\x81cant security responsibili-\n             ties, ensure that they take the required training every 3 years, record the train-\n             ing records in the Of\xef\xac\x81ce of Personnel Management-approved centralized\n             system, and provide management with tools to monitor compliance with the\n             training requirement.\n          The Toolkits provided guidance and ensured standard processes were used to\n      perform C&A of FISMA-related systems. However, effective monitoring was not\n      performed to ensure that systems owners were complying with established guidance\n\n\n\n\n2 .            OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                   UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n    and methodology. Without active monitoring to ensure compliance, controls not\n    tested for systems or networks may not be working effectively and could expose the\n    Department to loss of con\xef\xac\x81dentiality, integrity, or availability.\n\n    Management Comments\n\n        In its consolidated response (Appendix C), the Bureau of Information Resource\n    Management, in coordination with the Bureau of Diplomatic Security and the Bu-\n    reau of Administration, concurred with the report\xe2\x80\x99s nine recommendations. Based\n    on the consolidated response, OIG considers all of the recommendations resolved,\n    pending further action.\n\n\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   3 .\n\n\n                                             UNCLASSIFIED\n\x0c                          UNCLASSIFIED\n\n\n\n\n\n4 .   OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                          UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n\n                                       BACKGROUND\n\n\n    Federal Information Security Management Act\n\n         The Federal Information Security Management Act of 2002 (FISMA) (Public\n    Law 107-347, title III) recognized the importance of information security to the eco-\n    nomic and national security interests of the United States. It requires each Federal\n    agency to develop, document, and implement an agency-wide program to provide\n    information security for the information systems that support the operations and as-\n    sets of the agency, including those provided or managed by another agency, contrac-\n    tor, or other source. FISMA provides a comprehensive framework for establishing\n    and ensuring the effectiveness of management, operational, and technical controls\n    over information technology (IT) that supports Federal operations and assets, and it\n    provides a mechanism for improved oversight of Federal agency information secu-\n    rity programs.\n\n        FISMA assigns speci\xef\xac\x81c responsibilities to Federal agencies, the National Institute\n    of Standards and Technology (NIST), and the Of\xef\xac\x81ce of Management and Budget\n    (OMB) in order to strengthen information system security. In particular, FISMA\n    requires the head of each agency to implement policies and procedures to cost ef-\n    fectively reduce IT security risks to an acceptable level. To ensure the adequacy and\n    effectiveness of information security controls, FISMA requires agency program\n    of\xef\xac\x81cials, Chief Information Of\xef\xac\x81cers (CIO), Senior Agency Of\xef\xac\x81cials for Privacy, and\n    Inspectors General to conduct annual reviews of the agency\xe2\x80\x99s information security\n    program and report the results to OMB.\n\n         Annually, OMB provides guidance with reporting categories and questions for\n    meeting the current year\xe2\x80\x99s reporting requirements. OMB uses this data to assist in\n    its oversight responsibilities and to prepare its annual report to Congress on agency\n    compliance with FISMA.\n\n    Objective\n\n        In accordance with FISMA, the Of\xef\xac\x81ce of Inspector General (OIG) initiated an\n    annual review of the Department of State information security program and prac-\n    tices as they relate to FISMA.\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   5 .\n\n\n                                             UNCLASSIFIED\n\x0c                                    UNCLASSIFIED\n\n\n\n           The objective of the review was to evaluate the progress the Department had\n      made in implementing an effective information security program and related prac-\n      tices since the last OIG annual FISMA review in FY 2008, Review of the Information\n      Security Program at the Department of State (AUD/IT-08-36, Oct. 2008).\n\n\n\n\n6 .             OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                    UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n\n               RESULTS OF 2009 FISMA REVIEW\n\n\n    CRITICAL, VOLATILE, AND INHERITED CONTROLS WERE NOT\n    ADEQUATELY IDENTIFIED OR TESTED\n        In response to an FY 2008 FISMA report recommendation, the Bureau of\n    Information Resource Management, Of\xef\xac\x81ce of Information Assurance (IRM/IA),\n    improved its Annual Control Assessment Toolkit and provided two training work-\n    shops in May 2009 for systems owners. The Toolkit provided de\xef\xac\x81nitions of what\n    constitute critical and volatile controls as follows:\n\n         \xe2\x80\xa2 \t Critical Control \xe2\x80\x94 Any control is considered critical if the failure of this\n             single control is expected to result in a non-trivial breach of con\xef\xac\x81dentiality,\n             integrity, or availability (denial of service) of information in the system or\n             subsystem.\n\n         \xe2\x80\xa2 \t Volatile Control \xe2\x80\x94 Any control that shows a historical pattern of unreli-\n             ability. That shall be interpreted to mean any control for the system that has\n             been veri\xef\xac\x81ed to be working, has subsequently failed, and has not yet been\n             veri\xef\xac\x81ed to be working again in three subsequent tests over at least 2 years.\n\n         The review team found that six (25 percent) of the 23 in-scope high- to mod-\n    erate-impact systems reviewed documented critical or volatile controls in their test\n    programs but that there was no rationale for selecting and testing these controls.\n    Some systems designated a control as critical, while others showed it either as vola-\n    tile or as neither. Signi\xef\xac\x81cant control testing gaps were found for systems that were\n    certi\xef\xac\x81ed and accredited in the FY 2008 report. Test gaps for these systems were\n    virtually identical to testing gaps for annual testing. For many of the testing gaps\n    identi\xef\xac\x81ed, test documentation cited the controls as \xe2\x80\x9cinherited,\xe2\x80\x9d either at the bureau\n    level or from OpenNet. However, the review team found that these controls were\n    not tested at the bureau level and had not been tested by OpenNet. The review team\n    also found that OpenNet did not test or effectively test for the control risks at the\n    bureau or system level. Additionally, the review team reviewed iPost controls as part\n    of the Con\xef\xac\x81guration Management (CM) review and found that while the controls\n    did provide continuous monitoring, they did not compensate for the lack of annual\n    testing for access and other volatile controls at the system level.\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   7 .\n\n\n                                             UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n\n\n          Section 2.9.2, \xe2\x80\x9cSelection of Security Controls for Monitoring,\xe2\x80\x9d of NIST Special\n      Publication (SP) 800-37, revision 1, Guide for the Security Certi\xef\xac\x81cation and Accreditation of\n      Federal Information Systems, states:\n\n               The criteria for selecting which security controls to monitor and for\n               determining the frequency of such monitoring should be established\n               by the information system owner or common control provider in\n               collaboration with the authorizing of\xef\xac\x81cial or designated representa-\n               tive, chief information of\xef\xac\x81cer, senior agency information security\n               of\xef\xac\x81cer, and risk executive (function). The criteria should re\xef\xac\x82ect the\n               organization\xe2\x80\x99s priorities and importance of the information system\n               (or in the case of common controls, the information systems inherit-\n               ing the controls) to organizational operations and assets, individu-\n               als, other organizations and the Nation in accordance with Federal\n               Information Processing Standards (FIPS) Publication 199, or the\n               Committee on National Security Systems (CNSS) Instruction 1199.\n               Organizations should use risk assessments, results of previous secu-\n               rity assessments, and operational requirements in guiding the selec-\n               tion of security controls to be monitored and the frequency of the\n               monitoring process.\n\n               Priority for control monitoring should be given to the security\n               controls that have the greatest volatility (i.e., the greatest potential\n               for change) after implementation and the controls that have been\n               identi\xef\xac\x81ed in the organization\xe2\x80\x99s plan of action and milestones for the\n               information system.\n\n           IRM/IA\xe2\x80\x99s new policy for critical and volatile controls was implemented only in\n      the third quarter of FY 2009. As a result, earlier testing was not compliant with De-\n      partment policy. IRM/IA\xe2\x80\x99s quality control review did not independently verify that all\n      critical and/or volatile controls were tested annually. IRM/IA relied on information\n      system testers to perform the veri\xef\xac\x81cation. The review team found that OpenNet\xe2\x80\x99s\n      boundary de\xef\xac\x81nition was going through signi\xef\xac\x81cant changes, which may have contrib-\n      uted to gaps in Enterprise Control testing.\n\n         Controls not tested for the systems or network may not be working effectively\n      and could expose Department data to loss of con\xef\xac\x81dentiality, integrity, or availability.\n\n\n\n\n8 .              OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                     UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n        Recommendation 1: The Chief Information Security Of\xef\xac\x81cer and the Bureau\n        of Information Resource Management (IRM) should:\n\n              \xe2\x80\xa2 Work with systems owners to identify critical and volatile controls to test\n              and use National Institute of Standards and Technology (NIST) Special\n              Publication (SP) 800-53, revision 3, Recommended Security Controls for Federal\n              Information Systems, August 2009, P1 priority controls as a starting point.\n              \xe2\x80\xa2 Establish procedures to verify that volatile controls are correctly deter-\n              mined and tested.\n              \xe2\x80\xa2 Expand the IRM quality control program to include analysis of how well\n              certi\xef\xac\x81cation testing addresses critical, volatile, and inherited controls and\n              to also determine whether all controls are tested over a 3-year certi\xef\xac\x81cation\n              and accreditation cycle.\n              \xe2\x80\xa2 Review inherited control selection procedures and update policy in the\n              Toolkit to ensure that misunderstandings about critical but inherited con-\n              trol testing responsibility are resolved.\n              \xe2\x80\xa2 Provide formal guidance on which NIST SP 800-53, revision 3, controls\n              may be inherited from OpenNet and the conditions under which such in-\n              heritance will be approved.\n\n\n\n    Management Response and OIG Reply\n\n        IRM concurred with the recommendation, stating that it will update the C&A\n    toolkit to clarify how inherited controls may be selected, update the exit criteria\n    checklist to ensure that inherited controls are selected in a manner consistent with\n    policy, and ask NIST to map controls to the vulnerabilities listed on the National\n    Vulnerability Database. Based on the response, OIG considers the recommendation\n    resolved, pending further action.\n\n\n\n    CONNECTIVITY BETWEEN CONTRACTOR SYSTEMS AND\n    DEPARTMENT SYSTEMS WAS NOT ADEQUATELY IDENTIFIED,\n    TESTED, AND MONITORED\n        In response to two FY 2008 FISMA report recommendations, the Department\n    modi\xef\xac\x81ed the certi\xef\xac\x81cation and accreditation (C&A) toolkits to instruct systems own-\n    ers to (a) identify external inter-connections and include copies of required Intercon-\n    nection Security Agreement (ISA) and Memorandum of Understanding/Agreement\n    (MOU/MOA) documents in the System Security Plan (SSP) and (b) test and verify,\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   9 .\n\n\n                                             UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n       at least annually, that interconnection agreements are listed and current in the SSP.\n       The C&A toolkits were modi\xef\xac\x81ed by IRM/IA to include speci\xef\xac\x81c instructions for the\n       following:\n\n           \xe2\x80\xa2 \t Requesting that systems owners update and add to the SSP any information\n               on ISA, MOU, and MOA interconnections.\n           \xe2\x80\xa2 \t Modifying the inventory data call so that it includes:\n               \xe2\x96\xab\t Reviewing the completeness and content of systems connections identi-\n                  \xef\xac\x81ed in SSPs,\n               \xe2\x96\xab\t Accurately assessing the risk that those connections pose to other De-\n                  partment systems, and\n               \xe2\x96\xab\t Verifying (at least annually) that all active connections to/from existing\n                  major information systems are completely listed in the SSPs.\n            The review team found that 13 (57 percent) of 23 in-scope unclassi\xef\xac\x81ed systems\n       listed MOU/MOA information in their SSPs, as required, as compared with nine (50\n       percent) of 18 in-scope unclassi\xef\xac\x81ed systems assessed during the 2008 FISMA review,\n       as shown in Table 1.\n\n       Table 1. MOUs in SSPs\n\n                            Pass/Fail History Table \n\n                   CA-3 Information System Connections\n\n                                 MOUs/Contracts\n\n                   Fiscal Year 2008                Fiscal Year 2009\n                 Number Percent                  Number     Percent\n       Pass         9          50%                  13          57%\n       Fail         9          50%                  10          43%\n       Total       18         100%                  23         100%\n\n           In FY 2009, the review team found that 11 (48 percent) of the 23 in-scope\n       systems veri\xef\xac\x81ed and tested CA-3 control requirements compared with seven (39\n       percent) of 18 in-scope systems tested during the FISMA 2008 review, as shown in\n       Table 2.\n\n\n\n\n10 .             OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                     UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n    Table 2. Veri\xef\xac\x81ed and Tested C-3 Control\n\n                                 Pass/Fail History Table\n\n\n                        CA-3 Information System Connections\n\n\n                        Control Requirements Veri\xef\xac\x81ed & Tested\n\n                      Fiscal Year 2008                      Fiscal Year 2009\n                  Number      Percent                    Number      Percent\n     Pass            7             39%                      11           48%\n     Fail            11            61%                      12           52%\n     Total           18            100%                     23           100%\n\n         Section CA-3, \xe2\x80\x9cInformation System Connections,\xe2\x80\x9d of NIST SP 800-53A, Guide\n    for Assessing the Security Controls in Federal Information System, July 2008, states the follow-\n    ing:\n\n              (i) \t     The organization identi\xef\xac\x81es all connections to external information\n                        systems (i.e., information systems outside of the accreditation bound-\n                        ary);\n              (ii) \t    The organization authorizes all connections from the external infor-\n                        mation system through the use of system connection agreements;\n                        and\n              (iii) \t   The organization monitors and controls the system interconnections\n                        on an ongoing basis.\n        IRM/IA was not monitoring the SSPs to ensure that they were completed cor-\n    rectly and that the CA-3 control was tested. Additionally, the toolkit was not updated\n    timely and communicated to the appropriate systems owners prior to their complet-\n    ing their annual testing.\n\n         Systems connections, both internal and external, provide the electronic path for\n    access and interfaces to both operating and application systems. Lack of formal\n    identi\xef\xac\x81cation, documentation, and testing of these connections might make these\n    systems susceptible to security weaknesses that may impact their integrity and avail-\n    ability.\n\n\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009          11 .\n\n\n                                             UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n\n          Recommendation 2: The Chief Information Security Of\xef\xac\x81cer, Bureau of In-\n          formation Resource Management, and systems owners should:\n\n              \xe2\x80\xa2 Supplement the current information provided in the Certi\xef\xac\x81cation and\n              Accreditation (C&A) Main Toolkit and Inventory Toolkit with additional\n              guidance to include at least the following supplemental directives:\n                  \xe2\x96\xab\t Federal Information Security Management Act control CA-3 as a\n                      requirement in the annual testing list of \xe2\x80\x9ccritical\xe2\x80\x9d or \xe2\x80\x9cvolatile\xe2\x80\x9d con-\n                      trols for all moderate- and high-impact systems.\n                  \xe2\x96\xab\t Guidance on how to test and verify that the control is operating ef-\n                      fectively.\n              \xe2\x80\xa2 Be more proactive in reviewing System Security Plans and test results to\n              ensure compliance with the methodology in the C&A Toolkits.\n\n\n\n       Management Response and OIG Reply\n\n           IRM concurred with the recommendation but stated that it did not believe it\n       should identify a set of critical and volatile controls (C&VC) at the Department level\n       that should be considered C&VC for all systems in the enterprise, and it proposed\n       new criteria. The proposed new criteria would require that the C&A toolkits be\n       modi\xef\xac\x81ed to provide proper de\xef\xac\x81nition of C&VCs and that veri\xef\xac\x81cation be performed\n       to ensure that C&VCs are identi\xef\xac\x81ed and tested. Based on the response, OIG consid-\n       ers the recommendation resolved, pending further action.\n\n\n\n       CONTINGENCY PLAN TOOLKITS SHOULD BE IMPROVED\n           IRM/IA made improvements to its CP toolkits in response to two FY 2008\n       FISMA report recommendations. In the third quarter of FY 2009, IRM/IA cre-\n       ated the Contingency Plan Test Toolkit, which provided systems owners with clear\n       direction on CP test requirements, including documenting test results. The Toolkit\n       outlined an improved process and provided guidance systems owners needed to\n       conduct CP tests appropriately. However, the review team found that some systems\n       owners did not use the updated Toolkit and that the instructions on the Toolkit did\n       not clearly communicate the requirements. Speci\xef\xac\x81cally, the review team found that\n       CPs were not updated after contingency control failures following annual contin-\n       gency planning test, when signi\xef\xac\x81cant changes occurred, and when annual tests were\n       performed. Exceptions noted for the 23 in-scope systems reviewed are as follows:\n\n\n\n12 .             OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                     UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n                  1. The Consular Data Information Transfer System (CDITS) had\n              three CP controls that failed in the System Accreditation Report (SAR). The\n              controls that failed should have been identi\xef\xac\x81ed previously as having failed in\n              FY 2008 testing. These failures were not noted in the CP. The CP was dated\n              August 17, 2009, and the report was dated August 17, 2009.\n\n                   2. The Global International Narcotics and Law Enforcement (GINL)\n              system had 11 failed CP controls during the SAR dated July 31, 2008. The\n              SSP was dated December 31, 2007, and included failed CP controls. In the\n              comments section, the plan was to be approved by January 2008. The last\n              CP was dated December 31, 2007, and had not been updated to re\xef\xac\x82ect these\n              failed controls. The last CP Test was dated May 22, 2008, and was a \xe2\x80\x9cwalk-\n              through,\xe2\x80\x9d even though the SSP and System Categorization Form (SCF)\n              stated that GINL was a high-risk system. High-risk systems required a\n              \xe2\x80\x9cfunctional\xe2\x80\x9d test in addition to a \xe2\x80\x9cwalkthrough.\xe2\x80\x9d\n\n                  3. The OpenNet Electronic State Con\xef\xac\x81guration Resource (e-SCORE)\n              system was identi\xef\xac\x81ed in the SSP and SCF as a high risk system and had only\n              a checklist and walkthrough test performed on May 28, 2009. The last Con-\n              tingency Plan was dated March 21, 2007.\n\n                   4. The Integrated Document Management & Analysis System\n              (IDMAS) had a CP dated May 2, 2007 (contact names were updated Janu-\n              ary 30, 2008). However, in the IDMAS Self Assessment dated May 10, 2007,\n              CP-4, CP-5, and CP-7 were documented as \xe2\x80\x9cwould fail.\xe2\x80\x9d IDMAS had two\n              failed CP security controls in the SSP dated January 29, 2008. The Authority\n              to Operate (ATO) dated May 30, 2008, had open CP \xef\xac\x81ndings, even though\n              they were identi\xef\xac\x81ed in the POA&M in May 2008.\n\n                   5. The Public Key Infrastructure and BLADE (PKI/Blade) system\n              had an Annual Assessment dated July 10, 2009, with no CP \xef\xac\x81ndings. In\n              the POA&M report, PKI/Blade had open CP \xef\xac\x81ndings. The CP Test was\n              a failover test, dated February 3, 2009, with POA&M \xef\xac\x81ndings. The CP\n              was dated November 16, 2008. There was also a Signi\xef\xac\x81cant Change to the\n              system on May 22, 2009. A Signi\xef\xac\x81cant Change to the system requires a new\n              CP and test, according to NIST SP 800-84, Guide to Test, Training, and Exercise\n              Programs for IT Plans and Capabilities, September 2006.\n\n        OMB Circular A-130, Appendix III, Security of Federal Automated Information Re-\n    sources, requires agencies to establish and periodically test the capability to continue\n    providing services within a system based upon the needs and priorities of the system\n    functionality. NIST SP 800-53, revision 2, further requires that agencies test and up-\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   13 .\n\n\n                                             UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n       date their systems\xe2\x80\x99 CPs at least annually. The Foreign Affairs Manual (FAM) provides\n       guidance on CP, in addition to the guidance provided by the IRM/IA toolkits.\n\n           The C&A CP Toolkit did not indicate that CPs were to be updated and reviewed\n       by IA following failures in CP testing or failed testing of CP controls during the sys-\n       tems\xe2\x80\x99 annual or C&A tests. Additionally, the toolkit may have been updated too late\n       for most of the systems owners to use during the FY 2009 testing to comply with\n       OMB guidance and NIST requirements.\n\n            Without adequate testing of contingency plans, the Department cannot ensure\n       that systems will operate properly or in a timely manner during an emergency or dis-\n       ruption of service. Loss of the Department\xe2\x80\x99s IT systems could limit management\xe2\x80\x99s\n       ability to perform its missions, including its critical functions in service to the public.\n\n\n          Recommendation 3: The Chief Information Security Of\xef\xac\x81cer, Bureau of In-\n          formation Resource Management, and systems owners should take the follow-\n          ing actions:\n\n           \xe2\x80\xa2Update the Contingency Plan (CP) Toolkit to include the requirement that\n             systems owners should review and revise the CP after any CP failed test\n             results.\n           \xe2\x80\xa2Update the CP exit criteria checklist to include veri\xef\xac\x81cation by the Bureau of\n             Information Resource Management, Of\xef\xac\x81ce of Information Assurance\n             (IRM/IA), that the systems owners:\n              \xe2\x96\xab Conduct CP testing in accordance with the system\xe2\x80\x99s National Institute\n                  of Standards and Technology Special Publication 800-60, revision 1,\n                  Guide for Mapping Types of Information and Information Systems to Security\n                  Categories, August 2008, availability\n                  Categories,               availability impact level\n                                                                level as indicated on the Se-\n                  curity Categorization Form (SCF).\n              \xe2\x96\xab Create a Plan of Action and Milestones for each failed CP test/con-\n                  trol.\n              \xe2\x96\xab Update the CP to address each failed CP test/control (or provide clear\n                  documentation explaining why no such update is necessary).\n           \xe2\x80\xa2Update the exit checklists for the six documents listed to include veri\xef\xac\x81cation\n             by IRM/IA that each document is consistent with the SCF, and modify the\n             SCF checklist to include veri\xef\xac\x81cation by IA that these documents are up-\n             dated if the impact level is revised upward. The documents are as follows:\n              \xe2\x96\xab The System Security Plan\n              \xe2\x96\xab The Contingency Plan\n              \xe2\x96\xab The Security Control Assessment Plan (SCAP)\n              \xe2\x96\xab The Certi\xef\xac\x81cation Report\n              \xe2\x96\xab The Authority To Operate\n              \xe2\x96\xab Future Annual or Certi\xef\xac\x81cation and Accreditation Tests\n\n\n14 .             OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                     UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n    Management Response and OIG Reply\n\n        IRM concurred with the recommendation, stating that it plans to update the CP\n    Toolkit to include requirements that system owners should review and revise the CP\n    after any failed CP test results and also modify the CP exit criteria checklist to verify\n    that the systems owners are conducting CP tests in accordance with NIST guidance.\n    Based on the response, OIG considers the recommendation resolved, pending fur-\n    ther action.\n\n\n\n    MANAGEMENT OF CONFIGURATION MANAGEMENT CONTROLS\n    PROCESS WAS NOT ADEQUATE\n        The review team found that implementation and monitoring of con\xef\xac\x81guration\n    management (CM) controls, including the scanning process, were decentralized\n    and shared among bureaus, Information Systems Security Of\xef\xac\x81cers (ISSO) , and\n    IRM/IA. Over half of the 23 in-scope systems reviewed showed CM exceptions,\n    based on reviews of SSPs, annual testing results, and routine scanning results as re-\n    ported in iPost and then used for risk scoring. iPost routinely made scanning results\n    available to systems owners, and the risk scoring reports and associated quarterly\n    noti\xef\xac\x81cations to responsible system owners raised the visibility of CM weaknesses\n    and provided roadmaps for correction. The resulting 90 percent reduction in overall\n    risk during the past year was a graphic demonstration of iPost\xe2\x80\x99s potential.\n\n        The review team found, however, that these centralized controls were not fully\n    integrated with decentralized bureau and system level controls and did not address\n    signi\xef\xac\x81cant risks as follows:\n\n         \xe2\x80\xa2 \t Only 90 percent of Windows servers were compliant with Systems Manage-\n             ment Server (SMS) reporting requirements, leading to unreliable patch and\n             virus management reporting. Time penalties in risk scoring have had only\n             a limited effect (for example, Automated Biometric Identi\xef\xac\x81cation System\n             (ABIS) and IT Asset Baseline (ITAB) 877) in inducing local managers to\n             improve performance. Recurring patch management performance issues by\n             some sites as reported in iPost suggested that a stronger approach be consid-\n             ered.\n         \xe2\x80\xa2 \t CM testing was inconsistent. Annual testing by system owners failed to\n             include CM-6 (Con\xef\xac\x81guration Settings), which is a critical and volatile control.\n             The problem was exacerbated by the failure of routine scanning to include\n             database con\xef\xac\x81guration. In three instances where CM-6 controls were tested\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   15 .\n\n\n                                             UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n               as part of recerti\xef\xac\x81cation (ABIS #877, CDITS #964, and Travel Document\n               Issuance System Inquiry (TDIS) ITAB #89), the system failed CM-6 tests\n               and related critical control tests (Access Controls, Systems Acquisition, and\n               System and Information Integrity: AC-3, AC-6, AC-7, IA-5, SA-6, SA-7, and\n               SI-2). However, other related controls (Audit and Accountability and Identi-\n               \xef\xac\x81cation and Authentication (AU-2 and IA-4)) were successfully tested.\n           \xe2\x80\xa2 \t The scanning tools failed to query Oracle con\xef\xac\x81guration, the Department\xe2\x80\x99s\n               most common database system for con\xef\xac\x81guration control weaknesses that\n               could have signi\xef\xac\x81cant impact on application access controls.\n           \xe2\x80\xa2 \t Scanning results for routers, \xef\xac\x81rewalls, and Demilitarized Zone (DMZ) serv-\n               ers were not available in iPost; therefore, they were not used in risk scoring.\n               Also, outbound e-mail content \xef\xac\x81ltering was not implemented.\n           \xe2\x80\xa2 \t The results from Intrusion Detection Systems (IDS) scanning were not re-\n               ported in iPost or utilized in risk scoring.\n           \xe2\x80\xa2 \t Risk scores were available for individual Windows hosts and aggregated to\n               the site level based on Active Directory units. The scores were not aggregat-\n               ed by application systems, which would have been useful for business process\n               owners and bureau management.\n           FISMA1 requires each agency to develop minimally acceptable system con\xef\xac\x81gura-\n       tion requirements and ensure compliance with them. Standard security con\xef\xac\x81gura-\n       tions provide a baseline level of security, reduce risk from security threats and vul-\n       nerabilities, and save time and resources. These controls allow agencies to improve\n       system performance, decrease operating costs, and ensure public con\xef\xac\x81dence in the\n       con\xef\xac\x81dentiality, integrity, and availability of government information. Agencies are\n       to cite the frequency by which they implemented system con\xef\xac\x81guration requirements\n       and must document and provide NIST with any deviation from common security\n       con\xef\xac\x81gurations.\n\n            Responsibility for the implementation of CM controls for the systems, operating\n       systems, databases and network, including the scanning process, was decentralized,\n       and the majority of the automated scanning results were not centralized and included\n       in iPost for reporting and risk scoring.\n\n           If reporting and risk scores in iPost are not accurately identifying the action risk\n       to systems because the scores were limited to the Windows environment and did not\n       include critical scan results, such as the application databases and the network (\xef\xac\x81re-\n       wall, routers, and switches), Department data may be exposed to loss of integrity and\n       con\xef\xac\x81dentiality because con\xef\xac\x81guration standards may not be implemented.\n\n       1\n           Pub. L. No. 107-347 \xc2\xa7 3544(b)(2)(D)(iii).\n\n16 .              OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                      UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n        Recommendation 4: The Chief Information Security Of\xef\xac\x81cer, Bureau of In-\n        formation Resource Management, the Systems Integrity Director of Diplomat-\n        ic Security, and the Deputy Chief Information Of\xef\xac\x81cer for Business Planning\n        and Customer Service should:\n         \xe2\x80\xa2 \t Address the extent to which centralization versus decentralization of con-\n             trol testing, remediation, and management should be readjusted to pro-\n             duce better con\xef\xac\x81guration management (CM).\n         \xe2\x80\xa2 \t Analyze and document the extent to which centralized automation of CM\n             is an ef\xef\xac\x81cient and more cost-effective method than the current decentral-\n             ized method.\n         \xe2\x80\xa2 \t Develop an Information Security Architecture that considers how to re-\n             quest, review, document, and approve CM exceptions that may be neces-\n             sary to allow the business of the Department of State to be conducted\n             and provide criteria for the decision process.\n\n\n\n    Management Response and OIG Reply\n\n       IRM concurred with the recommendation to create an Information Security\n    Architecture for the Information System Department. Based on the response, OIG\n    considers the recommendation resolved, pending further action.\n\n\n\n    SECURITY WEAKNESSES IN IPOST WERE NOT CAPTURED IN THE\n    DEPARTMENT POA&M DATABASE\n         IRM/IA managed a centralized POA&M Department database where security\n    weaknesses from all the various bureaus were identi\xef\xac\x81ed quarterly, monitored, and\n    used to generate the quarterly reports for OMB reporting. However, systemic secu-\n    rity weaknesses identi\xef\xac\x81ed through the iPost/Site Scoring process were not entered\n    into the Department\xe2\x80\x99s POA&M database when they were not resolved immediately.\n    Systemic weaknesses require a broader process/policy/budget change and not just\n    technical mitigation of a particular weakness with existing resources. They may also\n    include weaknesses that might require project management and/or coordinated ac-\n    tion among multiple departments or bureaus to resolve.\n\n         OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Informa-\n    tion Security Management Act, August 23, 2004, states that the POA&M process was\n    designed to resolve IT security control weaknesses with prioritization to ensure that\n    vulnerabilities are addressed in a timely and cost-effective manner. Memorandum\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   17 .\n\n\n                                             UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n\n       M-04-25 includes a spreadsheet that should be used as a model to identify and de-\n       velop speci\xef\xac\x81c weaknesses, points of contact, resources required, scheduled comple-\n       tion dates, milestones with attendant completion dates, changes in milestones, and\n       statuses.\n\n           FISMA requires that agencies develop POA&Ms to capture weaknesses identi-\n       \xef\xac\x81ed during the C&A process, Of\xef\xac\x81ce of Inspector General (OIG) or Chief Financial\n       Of\xef\xac\x81cers (CFO) Act audits, and internal control reviews. These weaknesses need to\n       be corrected and/or mitigated.\n\n            The POA&M process facilitates the remediation of security weaknesses and\n       provides a means of planning and monitoring corrective actions, categorizing risk,\n       de\xef\xac\x81ning roles and responsibilities for security weakness resolution, assisting in iden-\n       tifying the resource requirements necessary to mitigate the weaknesses, tracking and\n       prioritizing resources, and informing decision makers. Also, NIST2 recommends that\n       the POA&M be updated, stating, \xe2\x80\x9cThe updates should occur at appropriate intervals\n       to capture signi\xef\xac\x81cant changes to the information system, but not so frequently as to\n       generate unnecessary paperwork.\xe2\x80\x9d\n\n           The iPost/Site Scoring process has been in production approximately a year, and\n       the review team found that the process is evolving and has a lot of potential. How-\n       ever, IA has not yet developed a process to report systems systemic weaknesses that\n       are not remediated within a prede\xef\xac\x81ned time period into the centralized POA&M\n       database.\n\n           The centralized POA&M did not include iPost systemic security weaknesses.\n       Security weaknesses that remain unresolved for an extended period of time may\n       increase vulnerabilities and exposures that could be exploited by intruders, and they\n       may impact the integrity, availability, and con\xef\xac\x81dentiality of the Department\xe2\x80\x99s systems\n       and the network infrastructure.\n\n\n           Recommendation 5: The Chief Information Security Of\xef\xac\x81cer, Bureau of In-\n           formation Resource Management, should work with systems owners to accom-\n           plish the following:\n                \xe2\x80\xa2Record systemic security weaknesses identi\xef\xac\x81ed through the iPost/Site\n                Scoring process as Plan of Action and Milestones (POA&M) actions to\n                ensure the weaknesses are tracked, prioritized, and remediated.\n                \xe2\x80\xa2Report POA&M actions on a quarterly basis for sites that have low scores,\n                requiring them to raise those scores.\n                \xe2\x80\xa2Report POA&M actions for risk covered by iPost scoring \xe2\x80\x9cexceptions.\xe2\x80\x9d\n\n\n       2\n           NIST SP 800-37, Guide for the Security Certi\xef\xac\x81cation and Accreditation of Federal\n       Information Systems.\n18 .              OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                      UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n    Management Response and OIG Reply\n\n        IRM indicated concurrence with the recommendation to record systemic security\n    weaknesses identi\xef\xac\x81ed in iPost in the Department POA&M database, but it expressed\n    \xe2\x80\x9creservations\xe2\x80\x9d about the statement that all technical weaknesses must be closed and\n    that iPost scoring is not part of the POA&M process. Based on the response, OIG\n    considers this recommendation resolved, pending further action.\n\n\n\n    INFORMATION SECURITY WEAKNESSES WERE NOT ADEQUATELY\n    MANAGED\n        IRM/IA and the respective bureaus need to improve management of security\n    weaknesses. The review team found that policies, procedures, and tools are in place\n    to track, maintain, update, validate, and prioritize security weaknesses at each of the\n    respective bureaus. Also, quarterly updates from the respective bureaus\xe2\x80\x99 databases\n    were consolidated in the Department database that was managed by IA. However,\n    the review team found that active monitoring, validation, and implementation of\n    remediation steps to correct the security weaknesses were not performed by the\n    respective bureaus or by IA, as was reported in the FY 2008 FISMA report.\n\n        POA&Ms were not updated when there was a change in status. The review team\n    found that the FY 2009 third quarter Corrective Action Plan (CAP) that was sent\n    to OMB showed that the Bureau of Consular Affairs (CA) had 28 POA&M actions\n    with \xe2\x80\x9c120 days overdue\xe2\x80\x9d dates, which was over 50 percent of the POA&M action\n    items listed on the CAP report. Discussions with management and a review of the\n    CA POA&M database revealed that many of these items had been corrected, but\n    the POA&M status was not updated before these items were reported to CAP and\n    issued to OMB.\n\n         FISMA requires that agencies develop POA&Ms to capture weaknesses identi-\n    \xef\xac\x81ed during the C&A process, OIG or CFO Act audits, and internal control reviews.\n    These weaknesses need to be corrected and/or mitigated. The POA&M process\n    facilitates the remediation of security weaknesses and provides a means for planning\n    and monitoring corrective actions, categorizing risk, de\xef\xac\x81ning roles and responsibili-\n    ties for security weakness resolution, assisting in identifying the resource require-\n    ments necessary to mitigate the weaknesses, tracking and prioritizing resources, and\n    informing decision makers. Also, NIST3 recommends that the POA&M be updated,\n    stating, \xe2\x80\x9cThe updates should occur at appropriate intervals to capture signi\xef\xac\x81cant\n    changes to the information system, but not so frequently as to generate unnecessary\n    paperwork.\xe2\x80\x9d\n    3\n         NIST SP 800-37.\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   19 .\n\n\n                                             UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n\n\n           According to the FAM:4\n\n               Quarterly, systems owners must review and update their plan-of-action-and-\n               milestones (POA&M) tool:\n\n               (1)     POA&M reports must list residual risks and remediation efforts asso-\n               ciated with the information systems under their control (see 5 FAM 814 for\n               de\xef\xac\x81nition of system owner);\n\n               (2)    Failure to submit quarterly POA&M updates may result in loss of\n               funding and could lead to loss of accreditation and termination of the pro-\n               gram.\n\n           According to IA management, there had been several personnel changes in the\n       functional area that managed the POA&M process. As a result, there had been a lack\n       of oversight to ensure that bureaus were in compliance with POA&M policies and\n       guidelines.\n\n           Security weaknesses that remain unresolved for an extended period of time may\n       increase vulnerabilities and exposures that could be exploited by intruders and may\n       impact the integrity, availability, and con\xef\xac\x81dentiality of systems and the network in-\n       frastructure. Without a POA&M process that validates that security weaknesses were\n       remediated timely, management could not ensure that its systems were adequately\n       secured and protected.\n\n\n           Recommendation 6: The Chief Information Security Of\xef\xac\x81cer, Bureau of In-\n           formation Resource Management, should work with systems owners to imple-\n           ment the following:\n\n           \xe2\x80\xa2 \t Coordinate with systems owners to develop a method that ensures that\n               each systems owner provides timely and complete updates to the Plan\n               of Action and Milestones (POA&M) databases and to relevant of\xef\xac\x81cials,\n               including the Bureau of Information Resource Management, Of\xef\xac\x81ce of\n               Information Assurance (IA), on a regular basis (Recommendation 4 in the\n               FY 2008 FISMA report).\n           \xe2\x80\xa2 \t Ensure that IA management implements a process to validate informa-\n               tion in the Department of State POA&M database and performs a quality\n               review on the Corrective Action Plan report before it is submitted to the\n               Of\xef\xac\x81ce of Management and Budget.\n\n\n\n       4\n           5 FAM 1063.5c, \xe2\x80\x9cReporting.\xe2\x80\x9d\n\n\n20 .             OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                     UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n    Management Response and OIG Reply\n\n         IRM concurred with the recommendation, stating that it will perform a quality\n    assurance review before submitting the CAP to OMB and will provide \xe2\x80\x9cformal quar-\n    terly grade letters\xe2\x80\x9d to bureaus on the quality of their POA&M process implementa-\n    tion. Based on the response, OIG considers the recommendation resolved, pending\n    further action.\n\n\n\n    IT AUDIT-RELATED SECURITY WEAKNESSES WERE NOT\n    ADEQUATELY MANAGED\n        The review team noted there were no Standard Operating Procedures (SOP)\n    for managing IT-related security weaknesses identi\xef\xac\x81ed during CFO and OIG audits\n    and GAO and OMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Controls,\n    reviews:\n\n         \xe2\x80\xa2 \t OIG provided an extract of its Compliance Analysis and Tracking Sys-\n             tem (CATS) database to IRM/IA using codes that were provided by IRM/\n             IA. The CATS database did not include an attribute to indicate whether an\n             OIG recommendation was IT related. Because of the lack of this identi-\n             \xef\xac\x81er, IRM/IA had to manually review the extract provided by OIG and\n             then import the recommendations deemed to be related to IT into IRM/IA\xe2\x80\x99s\n             Department-level (POA&M) database. There was no evidence that a root\n             cause analysis was performed and that these recommendations were action-\n             able with milestones and scheduled completion dates.\n\n         \xe2\x80\xa2 \t Audits conducted by external auditors were not included in the CATS data-\n             base. According to the OIG, IT recommendations from the A-123 reviews\n             were provided directly to IRM, and IRM was responsible for distributing the\n             recommendations to the responsible bureaus and importing them into the\n             Department POA&M database. No formal documented procedures existed\n             to process these recommendations, and there was no evidence that a root\n             cause analysis was performed and that these recommendations were action-\n             able with milestones and scheduled completion dates.\n\n         \xe2\x80\xa2 \t IT audit recommendations resulting from CFO audits of IT general and\n             application controls for \xef\xac\x81nancial accounting application systems were sent\n             directly to IRM/IA and imported into the Department\xe2\x80\x99s POA&M data-\n             base. There was no evidence that a root cause analysis was performed and\n             that these recommendations were actionable with milestones and scheduled\n             completion dates.\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   21 .\n\n\n                                             UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n           The review team found that no formal process and no centralized process for\n       identifying and managing IT-related audit \xef\xac\x81ndings existed. Overlaps were not identi-\n       \xef\xac\x81ed and jointly managed, and recommendations that impacted both IT and business\n       processes were not analyzed for root cause and addressed in a collaborative way by\n       both IRM/IA and the respective bureaus. In most instances, the review team found\n       that recommendations or Notices of Potential Recommendations (NFR) were not\n       analyzed for root cause and actionable with milestones before they were imported\n       into the POA&M Department database.\n\n            FISMA requires that agencies develop POA&Ms to capture weaknesses identi-\n       \xef\xac\x81ed during the C&A process, OIG and CFO Act audits, and internal control reviews.\n       These weaknesses need to be corrected and/or mitigated. The POA&M process\n       facilitates the remediation of security weaknesses and provides a means for planning\n       and monitoring corrective actions, categorizing risk, de\xef\xac\x81ning roles and responsibili-\n       ties for security weakness resolution, assisting in identifying the resource require-\n       ments necessary to mitigate the weaknesses, tracking and prioritizing resources, and\n       informing decision makers. Also, NIST recommends that the POA&M be updated,\n       stating, \xe2\x80\x9cThe updates should occur at appropriate intervals to capture signi\xef\xac\x81cant\n       changes to the information system, but not so frequently as to generate unnecessary\n       paperwork.\xe2\x80\x9d\n\n          The FAM5 de\xef\xac\x81nes responsibilities of the Assistant Secretary for Resource Man-\n       agement and Chief Financial Of\xef\xac\x81cer that include the following:\n\n               (7) Provides advice and technical assistance in developing necessary guides\n               for performing risk assessments and management control reviews and de-\n               signing management control systems;\n\n               (8) Approves subsequent plans for risk assessments and reviews of manage-\n               ment control systems;\n\n               (9) Establishes and maintains a program of quality assurance over manage-\n               ment control evaluations, reviews, and follow-up corrective actions;\n\n               (10) Recommends Management Control Steering Committee action on pro-\n               posed management control designs;\n\n               (11) Ensures that appropriate follow-up action is taken on management\n               control de\xef\xac\x81ciencies and \xef\xac\x81nancial losses by providing necessary guidance in\n               designing needed additional controls;\n\n               (12) Maintains a continuing liaison with and awareness of the activities of\n               other Department elements having responsibilities for activities that contrib-\n               ute to the goals and objectives of the management control program; and\n       5\n          2 FAM 022.3, \xe2\x80\x9cThe Assistant Secretary for Resource Management and Chief Financial\n       Of\xef\xac\x81cer.\xe2\x80\x9d\n22 .             OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                     UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n              (13) Reviews Government Accountability Of\xef\xac\x81ce, Inspector General, con-\n              tractor, or management reports that apply in whole or in part to management\n              controls; reviews the analyses that Information Resource Management (IRM)\n              performs, which focuses on automated systems (general and application con-\n              trols); and ensures that risk assessments, management control reviews, and\n              determinations of de\xef\xac\x81ciencies consider these sources of information.\n\n         The OIG database did not have an attribute that uniquely tagged each IT recom-\n    mendation to facilitate the process for IRM/IA to extract only IT-related recommen-\n    dations in the Department POA&M database. Each OIG functional area submitted\n    its IT-related audit \xef\xac\x81ndings or recommendations to IRM/IA, and no formal SOP\n    existed to identify root causes and turn these weaknesses into POA&M actionable\n    items.\n\n        Some IT-related recommendations may not be tracked in the OIG database and\n    imported into the POA&M database. Additionally, there may be duplicate efforts\n    or lack of efforts to jointly manage and implement controls to remediate IT-related\n    \xef\xac\x81ndings from OIG, GAO, and CFO audits and A-123 reviews. Without an effec-\n    tive process that ensured that these security weaknesses were tracked and remediated\n    timely, management did not have assurance that its systems were adequately secured\n    and protected. This may impact the integrity, availability, and con\xef\xac\x81dentiality of sys-\n    tems and the environment.\n\n\n        Recommendation 7: The Chief Financial Of\xef\xac\x81cer, Bureau of Information\n        Resource Management, and systems owners should work together to develop,\n        publish, and implement detailed Standard Operating Procedures (SOP) for ad-\n        dressing information technology (IT) audit-related weaknesses and \xef\xac\x81ndings.\n        These SOPs should de\xef\xac\x81ne the following:\n\n             \xe2\x80\xa2 \t Clear objectives and criteria on what should be actionable and tracked\n                 in the Of\xef\xac\x81ce of Information Assurance Plan of Action and Milestones\n                 (POA&M) Department of State database and how duplicated \xef\xac\x81ndings\n                 or \xef\xac\x81ndings that include business processes and multiple bureaus should\n                 be addressed in a collaborative effort among various parties.\n             \xe2\x80\xa2 \t Responsibilities for each functional area in reviewing the \xef\xac\x81ndings or\n                 recommendations or notices of potential \xef\xac\x81ndings and turning them\n                 into actionable items to include root cause analyses, proposed action-\n                 able solutions, responsible parties for implementing the solutions, and\n                 milestones/tasks, including reasonable, scheduled completion dates,\n                 before they are imported into the POA&M Department database.\n\n\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   23 .\n\n\n                                             UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n       Management Response and OIG Reply\n\n           IRM concurred with the recommendation to work with CFO and Circular A-123\n       auditors to create SOPs for addressing information technology audit-related weak-\n       nesses, as recommended. Based on the response, OIG considers the recommenda-\n       tion resolved, pending further action.\n\n\n\n       SECURITY AWARENESS TRAINING REQUIREMENTS WERE NOT\n       ENFORCED\n               The Department has developed and implemented information security poli-\n       cies and procedures, including several information security awareness programs, to\n       comply with NIST requirements and OMB guidance. The policy requires that all\n       users take the web-based Cyber Security Awareness Course within 10 days of be-\n       ing granted log-in access to OpenNet (Department of State Network). The review\n       team found that all users with access to OpenNet did not take the PS800 Cyber\n       Security Awareness Course within 10 days of access to OpenNet or annually by their\n       course anniversary date. Users were reminded of this requirement, most recently in\n       08 All Diplomatic and Consular Posts telegram (ALDAC) 087187 and Department\n       Notice 2008_08_060. The review team found that enforcement of this requirement\n       was not uniform from site to site. The Department used Active Directory (AD) to\n       identify all OpenNet users who were required to take the course. OIG reported to\n       OMB in FY 2008 that 55,000 (81 percent to 95 percent) employees and contractors\n       had taken the Cyber Security Awareness Course. IRM reported that as of Septem-\n       ber 1, 2009, the State Department had 70,000 OpenNet users, and the Bureau of\n       Diplomatic Security reported that 67,800 users (97 percent) had taken the Cyber\n       Security Awareness course.\n\n           FISMA requires that agencies have suf\xef\xac\x81ciently trained personnel to assist the\n       agency in complying with FISMA and related policies, procedures, standards, and\n       guidelines. FISMA also states that the required agency-wide information security\n       program \xe2\x80\x9cshall include security awareness training to inform personnel, including\n       contractors, of information security risks associated with their activities, and their\n       responsibilities in complying with agency policies and procedures designed to reduce\n       these risks.\xe2\x80\x9d NIST SP 800-53, revision 2, recommends that basic security awareness\n       training be provided to all new information systems users (employees and contrac-\n       tors) before granting them log-in privileges to the system. It also states that employ-\n       ees should be provided with security awareness training annually to remind them of\n       their responsibilities to protect information assets.\n\n          Enforcement of the PS800 Cyber Security Awareness course completion require-\n       ment was a decentralized function at the ISSO level. The Department\xe2\x80\x99s policy to\n24 .             OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                     UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n    revoke a user\xe2\x80\x99s access to the network if the course was not taken within 10 days of\n    access to OpenNet or annually by the employee\xe2\x80\x99s course anniversary date was not\n    mandatorily enforced by all ISSOs. The existing link between AD and the PS800\n    Cyber Security Database did not ensure that all users added to AD were also in the\n    database. The ISSOs were responsible for notifying employees within their function-\n    al area of responsibility of the requirement to complete the course.\n\n        Security awareness training educates employees about the methods the agency\n    has implemented to protect information assets, the controls implemented, and the\n    risks to the organization if those controls are compromised. Employees who are\n    not properly trained about computer security may cause, contribute to, or become\n    victims of vulnerabilities or security breaches, such as e-mail exploits, account or\n    password sharing, inadequate safeguarding of passwords or computer resources,\n    Internet misuse, corporate espionage, and social engineering.\n\n\n\n        Recommendation 8: The Director of the Foreign Service Institute and the\n        Director of the Of\xef\xac\x81ce of Computer Security, Bureau of Diplomatic Security,\n        should:\n         \xe2\x80\xa2Implement methods to globally enforce the security awareness policies to\n           suspend a user\xe2\x80\x99s access if the Cyber Security Awareness Course is not taken\n           within 10 days of access to the Department of State Network or annually by\n           the employee\xe2\x80\x99s anniversary date.\n         \xe2\x80\xa2Enhance already existing connectivity between Active Directory (AD) and the\n           Course so that each time a user is created in AD, the user\xe2\x80\x99s identi\xef\xac\x81cation is\n           also registered in the Cyber Security database per Diplomatic and Consular\n           Posts telegram ALDAC 087187 and Department Notice 2008_08_060.\n         \xe2\x80\xa2Provide additional monitoring tools for the Information Systems Security Of-\n           \xef\xac\x81cers to ensure user compliance with established policies.\n\n\n\n\n    Management Response and OIG Reply\n\n        IRM concurred with the recommendation, stating that it will implement methods\n    globally to enforce the security awareness policy, integrate information in the Active\n    Directory with information in the Cyber Security Awareness database, and provide\n    ISSOs with monitoring tools to ensure compliance with Information Security Aware-\n    ness policies. Based on the response and the actions already taken, OIG considers\n    the recommendation resolved, pending further action.\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   25 .\n\n\n                                             UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n\n\n       ALL EMPLOYEES WITH SIGNIFICANT SECURITY RESPONSIBILITIES\n       DID NOT ATTEND REQUIRED ROLE-BASED TRAINING\n           The Department developed and implemented a \xe2\x80\x9crole-based information assur-\n       ance training program\xe2\x80\x9d to meet the federal requirements under FISMA and OPM\n       guidance. The FY 2007 Information Assurance Training Plan identi\xef\xac\x81ed and provided\n       speci\xef\xac\x81c training courses for the following identi\xef\xac\x81ed roles: Executives, Senior Level\n       Managers, Program Managers and IT Security Managers, Auditors, Technical Security\n       Personnel, and Other IT Security Roles.\n\n           All training records were stored in an OPM-approved centralized system, the\n       \xe2\x80\x9cStudent Training Management System\xe2\x80\x9d (STMS). This system tracked all registra-\n       tions and course completions for only courses identi\xef\xac\x81ed in the Information Assur-\n       ance Plan. However, it did not track courses that are Department paid that employ-\n       ees take yearly to meet continuing professional education requirements. Management\n       did not receive a report periodically showing which training courses employees with\n       signi\xef\xac\x81cant security responsibilities had attended. Of the sampled selections of 15\n       U.S.-based ISSOs with signi\xef\xac\x81cant security responsibilities, \xef\xac\x81ve (33.33 percent) had\n       not attended any training courses in the past 3 years, two of whom were branch\n       chiefs. All 14 sampled international ISSOs had attended at least one role-based train-\n       ing course in the past 3 years per the plan\xe2\x80\x99s requirement. This year, the CIO reported\n       to OMB that only 24 percent (1,008 of 4,135) of the employees and contractors with\n       signi\xef\xac\x81cant security responsibilities had attended role-based training in FY 2008.\n\n               OMB guidelines and NIST SP 800-16, Information Technology Training Require-\n       ments: Role- and Performance-Based Model, April 1998, require that agencies identify\n       employees with signi\xef\xac\x81cant security responsibilities and provide specialized training.\n       FISMA mandates that agencies implement IA training to enhance awareness of all\n       personnel and to ensure the protection of the agency\xe2\x80\x99s information assets. Among\n       the CISO responsibilities is the need to ensure suf\xef\xac\x81cient IA training for all Depart-\n       ment systems users. This includes general awareness training, as well as speci\xef\xac\x81c role-\n       based training, for those with signi\xef\xac\x81cant information security responsibilities. The IA\n       training plan de\xef\xac\x81ned guidelines for Department information system security aware-\n       ness and training. In addition, the plan provided guidance on identifying employees\n       with signi\xef\xac\x81cant information security responsibilities and the recommended training\n       associated with these responsibilities.\n\n          The review team found that controls did not exist to identify and monitor an-\n       nually training for employees with signi\xef\xac\x81cant security responsibilities. Department\n       managers were not provided periodic reports from the STMS that showed require-\n       ments and compliance with training requirements.\n\n26 .             OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                     UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n         Employees with signi\xef\xac\x81cant security responsibilities were tasked with implement-\n    ing, enforcing, and monitoring compliance with the Department\xe2\x80\x99s security policies\n    and guidelines. Without ensuring that annual training needs are met, these personnel\n    may be unaware of their security responsibilities or be improperly prepared to effec-\n    tively perform those duties.\n\n        This increases the risk of a computer security incident that could result in loss,\n    destruction, or misuse of sensitive data and resources.\n\n\n\n        Recommendation 9: The Bureau of Diplomatic Security Assistant Director\n        of Training, the Bureau of Information Resource Management Chief Informa-\n        tion Security Of\xef\xac\x81cer, and bureau systems owners should work together to:\n\n         \xe2\x80\xa2Improve methods to identify individuals with signi\xef\xac\x81cant security \n\n              responsibilities;\n\n         \xe2\x80\xa2Notify these individuals, including employees, supervisors, managers, \n\n             and executives, of their role-based training requirement;\n\n         \xe2\x80\xa2Monitor compliance with the training requirements;\n         \xe2\x80\xa2Provide management with reports that show compliance with the training\n             requirement; and\n         \xe2\x80\xa2Modify the Student Training Management System to capture other training\n             programs, such as those paid for by the Department, to meet Continuing\n             Professional Education requirements (for example, CISSP designation).\n\n\n\n\n    Management Response and OIG Reply\n\n        IRM concurred with the recommendation, stating it will consider methods to\n    identify who has signi\xef\xac\x81cant security responsibilities and develop methods to commu-\n    nicate and monitor compliance with training requirements. Based on the response,\n    OIG considers the recommendation resolved, pending further action.\n\n\n\n    INVENTORY RECORDS WERE MATERIALLY CORRECT\n        In response to four FY 2008 FISMA report recommendations relating to inven-\n    tory systems management and oversight of contractor systems, IRM/IA modi\xef\xac\x81ed its\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   27 .\n\n\n                                             UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n\n       procedures for collecting, analyzing, and managing inventory systems. The review\n       team found that IRM/IA had implemented several controls procedures that were\n       reviewed and veri\xef\xac\x81ed during the team\xe2\x80\x99s analysis of 3rd and 4th quarter inventory\n       records. Speci\xef\xac\x81cally, the following controls were implemented:\n\n          \xe2\x80\xa2 \t The inventory toolkits were updated to provide guidance on inventory identi-\n              \xef\xac\x81cation, analysis, and recording. The FY 2009 inventory data call provided in-\n              creased focus on de\xef\xac\x81ning and identifying \xe2\x80\x9ccontractor systems\xe2\x80\x9d and \xe2\x80\x9csystem\n              connections\xe2\x80\x9d that were missing in FY 2008.\n\n          \xe2\x80\xa2 \t The FY 2009 inventory data call was initiated in early November 2008.\n\n          \xe2\x80\xa2 \t Routine quarterly inventory data calls were made, and they reminded bureau\n              and post systems owners to report new systems and signi\xef\xac\x81cant changes to\n              systems to ensure the accuracy of their FISMA-reportable inventory.\n\n            FISMA requires the Department to keep an inventory of information systems.\n       OMB Circulars A-123, A-127 (Financial Management Systems), and A-130 (Management\n       of Federal Information Resources) require agencies to develop and maintain an informa-\n       tion systems inventory, document the types of information systems required to be\n       reported, and detail how and how often those reports must be submitted to OMB.\n       FIPS Publication 199 requires that agencies categorize their information systems as\n       low-, moderate-, or high-impact. Systems with privacy-related information automati-\n       cally raise the systems to the level of \xe2\x80\x9cMajor Information Systems,\xe2\x80\x9d thereby needing\n       to be reported in the information system inventory.\n\n           In FY 2009, the inventory process included quarterly (as opposed to annually in\n       FY 2008) data calls to identify, qualify, and quantify all information systems in use\n       at each bureau and overseas post. The process was intended to identify the universe\n       of information systems and IT assets such as networks (general support systems),\n       applications, and websites. IRM/IA used the results of the data call to populate two\n       primary databases: the IT Asset Baseline (ITAB) and the FISMA Inventory Data-\n       base. ITAB stored the universe of the Department\xe2\x80\x99s IT assets inventory and was\n       used to track and report the IT assets managed by the Department. The FISMA\n       Inventory Database stored information on identi\xef\xac\x81ed major information systems that\n       are FISMA reportable. IRM/IA analyzed the data in the ITAB database with the as-\n       set owner in order to identify the major information systems that should be reported\n       in the inventory as those evaluated for FISMA compliance.\n\n           The inventory information included in the Department\xe2\x80\x99s 3rd quarter inventory\n       records was the basis for selection of the systems that were used to perform tests\n       based on OMB guidelines. Selected for in-scope testing were 23 high- and moderate-\n\n\n28 .             OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                     UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n    impact systems, consisting of 18 from the prior year\xe2\x80\x99s in-scope sample and \xef\xac\x81ve ad-\n    ditional systems, which the review team assumed contained PII data. The 18 systems\n    from the prior year were included in the sample because the review team believed\n    that an analysis of these systems would provide a method for judging what improve-\n    ments had been made in the C&A process and also to verify implementation of the\n    FY 2008 recommendations. The review team found the inventory to be materially\n    correct with no management recommendations.\n\n\n\n    INCIDENT MANAGEMENT PROGRAM WAS ADEQUATELY MANAGED\n        The review team found that even though incident response management was\n    decentralized, well-de\xef\xac\x81ned procedures existed and the process was well coordinated\n    and operated effectively in the past 2 years. The computer incident response team\n    (CIRT), within DS, was the center of the Department\xe2\x80\x99s incident response program.\n    CIRT\xe2\x80\x99s efforts to safeguard the Department\xe2\x80\x99s networks involved collaboration and\n    information sharing with other program of\xef\xac\x81cials within DS, including the Cyber\n    Threat Analysis Division (CTAD) and the Virus Incident Response Team (VIRT). In\n    addition, CIRT of\xef\xac\x81cials coordinated with IRM\xe2\x80\x99s Firewall Team and Enterprise Net-\n    work Management Operations Center, systems managers, ISSOs, regional computer\n    security of\xef\xac\x81cers, and the privacy team. CIRT worked cohesively with these entities\n    to identify threats; monitor networks; identify, analyze, and report anomalies; imple-\n    ment corrective action; and identify trends to improve the security posture for the\n    Department.\n\n         FISMA requires agencies to establish procedures for detecting, reporting, and re-\n    sponding to security incidents. NIST SP 800-61, revision 1, Computer Security Incident\n    Handling Guide, March 2008, provides guidance to agencies on establishing an effec-\n    tive incident response program. The guidance focuses on four phases: preparation,\n    detection and analysis, containment/eradication/recovery, and post-incident activity.\n    OMB Circular A-130, Appendix III, requires agencies to develop SSPs. SSPs are an\n    overview of the security requirements of the system and describe the controls in\n    place or planned to meet those requirements. The SSPs also delineate the responsi-\n    bilities for and the expected behavior of all individuals who access the system. The\n    SSP is organized into three general classes of security controls: management, opera-\n    tional, and technical. Incident reporting is part of the operational security controls.\n\n        To verify that security incidents were reported timely to the US-CERT,6 as\n    required by Department policy, the review team obtained and reviewed DS CIRT\n    6\n       US-CERT is the operational arm of the National Cyber Security Division at the Department of\n    Homeland Security.\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009        29 .\n\n\n                                             UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n\n\n\n       monthly and daily reports for the months of October 2008 and January and April\n       2009. The review team found that in October, 14 PII tickets were identi\xef\xac\x81ed and\n       reported to US-CERT, as required; in January, \xef\xac\x81ve Information Security tickets were\n       identi\xef\xac\x81ed and reported to US-CERT, as required; and in April, \xef\xac\x81ve PII tickets and\n       one unauthorized access ticket were reported to US- CERT. A few minor exceptions\n       were identi\xef\xac\x81ed in April, but the review team was able to resolve the issues with sup-\n       porting e-mail documentation from CIRT.\n\n\n\n       PRIVACY PROGRAM IS IN COMPLIANCE WITH FEDERAL\n       REQUIREMENTS AND OMB GUIDANCE\n           At the Department of State, the Assistant Secretary for Administration is the\n       Senior Agency Of\xef\xac\x81cial for Privacy and is responsible for implementing privacy\n       programs. The Privacy Division managed and operated a privacy program in com-\n       pliance with OMB policies and guidance and developed and documented adequate,\n       compliant policies for safeguarding privacy-related information. Privacy training is\n       provided to employees but is not mandatory.\n\n           Privacy guidance and provisions for all Federal agencies are described in section\n       208 of the E-Government Act of 20027 and OMB Memorandum M-03-22, Guid-\n       ance for Implementing the Privacy Provisions of the E-Government Act of 2002, September\n       26, 2003. Per the E-Government Act of 2002, agencies are required to conduct\n       privacy impact assessments (PIA) for electronic information systems and collection\n       and make the assessments publicly available. Further, the agency must post privacy\n       policies on agency Web sites and translate privacy policies into a standardized ma-\n       chine-readable format. OMB Memorandum M-03-22 provides additional guidance\n       to the agencies and directs agencies to conduct reviews of how information about\n       individuals is handled within their respective agency when they use electronic means\n       to collect new information or when agencies develop or buy new systems to handle\n       collections of PII.\n\n           The Privacy Division created a new PIA template with a guide to assist sys-\n       tems owners in developing required PIAs and tools for identifying and mitigating\n       privacy risks. The review team obtained and reviewed the new PIA template and\n       found that it addressed all applicable privacy OMB-required content. For each of\n       the 23 in-scope systems, the review team determined whether a PIA should have\n       7\n           Pub. L. No. 107-347, 44 U.S.C., ch. 36.\n\n\n\n\n30 .              OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                      UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n    been completed, the new PIA template was used, and the template was completed\n    correctly in accordance with the guidelines. The review team found that \xef\xac\x81ve of the\n    in-scope systems did not contain PII and did not require a PIA; eight systems used\n    the new template and were completed correctly; and of the eight that did not use\n    the new template, three of these eight did not state clearly what PII data was col-\n    lected. According to the Privacy Of\xef\xac\x81cer, a program was implemented in response\n    to the FISMA FY 2008 review to update the PIA template in FY 2009 and to use a\n    3-year approach to migrate all existing PIAs to the updated template as the systems\n    are recerti\xef\xac\x81ed. Based on advice from the review team, the Privacy Of\xef\xac\x81cer agreed to\n    accelerate implementation of the new PIA template.\n\n\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   31 .\n\n\n                                             UNCLASSIFIED\n\x0c                           UNCLASSIFIED\n\n\n\n\n\n32 .   OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                           UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n\n                     LIST OF RECOMMENDATIONS\n\n    Recommendation 1: The Chief Information Security Of\xef\xac\x81cer and the Bureau of\n      Information Resource Management (IRM) should:\n          \xe2\x80\xa2 \t Work with systems owners to identify critical and volatile controls to test and\n              use National Institute of Standards and Technology (NIST) Special Publica-\n              tion (SP) 800-53, revision 3, Recommended Security Controls for Federal Information\n              Systems, August 2009, P1 priority controls as a starting point.\n          \xe2\x80\xa2 \t Establish procedures to verify that volatile controls are correctly determined\n              and tested.\n          \xe2\x80\xa2 \t Expand the IRM quality control program to include analysis of how well\n              certi\xef\xac\x81cation testing addresses critical, volatile, and inherited controls and to\n              also determine whether all controls are tested over a 3-year certi\xef\xac\x81cation and\n              accreditation cycle.\n          \xe2\x80\xa2 \t Review inherited control selection procedures and update policy in the Tool-\n              kit to ensure that misunderstandings about critical but inherited control test-\n              ing responsibility are resolved.\n          \xe2\x80\xa2 \t Provide formal guidance on which NIST SP 800-53, revision 3, controls may\n              be inherited from OpenNet and the conditions under which such inheritance\n              will be approved.\n\n\n\n    Recommendation 2 : The Chief Information Security Of\xef\xac\x81cer, Bureau of Informa-\n      tion Resource Management, and systems owners should:\n\n          \xe2\x80\xa2 \t Supplement the current information provided in the Certi\xef\xac\x81cation and Ac-\n              creditation (C&A) Main Toolkit and Inventory Toolkit with additional guid-\n              ance to include at least the following supplemental directives:\n\n              \xe2\x96\xab\t       Federal Information Security Management Act control CA-3 as a re\n                       quirement in the annual testing list of \xe2\x80\x9ccritical\xe2\x80\x9d or \xe2\x80\x9cvolatile\xe2\x80\x9d controls\n                       for all moderate- and high-impact systems.\n\n              \xe2\x96\xab\t       Guidance on how to test and verify that the control is operating ef\n                       fectively.\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009       33 .\n\n\n                                             UNCLASSIFIED\n\x0c                                    UNCLASSIFIED\n\n\n\n\n           \xe2\x80\xa2 \t Be more proactive in reviewing System Security Plans and test results to en-\n               sure compliance with the methodology in the C&A Toolkits.\n\n       Recommendation 3 : The Chief Information Security Of\xef\xac\x81cer, Bureau of Informa-\n         tion Resource Management, and systems owners should take the following ac-\n         tions:\n            \xe2\x80\xa2 \t Update the Contingency Plan (CP) Toolkit to include the requirement that\n                systems owners should review and revise the CP after any CP failed test re-\n                sults.\n            \xe2\x80\xa2 \t Update the CP exit criteria checklist to include veri\xef\xac\x81cation by the Bureau\n                of Information Resource Management, Of\xef\xac\x81ce of Information Assurance\n                (IRM/IA), that the systems owners:\n               \xe2\x96\xab\t Conduct CP testing in accordance with the system\xe2\x80\x99s National Institute\n                  of Standards and Technology Special Publication 800-60, revision 1,\n                  Guide for Mapping Types of Information and Information Systems to Security Cat-\n                  egories, August 2008, availability impact level as indicated on the Security\n                  Categorization Form (SCF).\n               \xe2\x96\xab\t Create a Plan of Action and Milestones for each failed CP test/control.\n               \xe2\x96\xab\t Update the CP to address each failed CP test/control (or provide clear\n                  documentation explaining why no such update is necessary).\n           \xe2\x80\xa2 \t Update the exit checklists for the six documents listed to include veri\xef\xac\x81cation\n               by IRM/IA that each document is consistent with the SCF, and modify the\n               SCF checklist to include veri\xef\xac\x81cation by IA that these documents are updated\n               if the impact level is revised upward. The documents are as follows:\n               \xe2\x96\xab\t The System Security Plan\n               \xe2\x96\xab\t The Contingency Plan\n               \xe2\x96\xab\t The Security Control Assessment Plan (SCAP)\n               \xe2\x96\xab\t The Certi\xef\xac\x81cation Report\n               \xe2\x96\xab\t The Authority To Operate\n               \xe2\x96\xab\t Future Annual or Certi\xef\xac\x81cation and Accreditation Tests\n       Recommendation 4: The Chief Information Security Of\xef\xac\x81cer, Bureau of Informa-\n         tion Resource Management, the Systems Integrity Director of Diplomatic Secu-\n         rity, and the Deputy Chief Information Of\xef\xac\x81cer for Business Planning and Cus-\n         tomer Service should:\n           \xe2\x80\xa2 \t Address the extent to which centralization versus decentralization of control\n               testing, remediation, and management should be readjusted to produce bet-\n               ter con\xef\xac\x81guration management (CM).\n\n34 .            OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                    UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n          \xe2\x80\xa2 \t Analyze and document the extent to which centralized automation of CM is\n              an ef\xef\xac\x81cient and more cost-effective method than the current decentralized\n              method.\n          \xe2\x80\xa2 \t Develop an Information Security Architecture that considers how to request,\n              review, document, and approve CM exceptions that may be necessary to al-\n              low the business of the Department of State to be conducted and provide\n              criteria for the decision process.\n    Recommendation 5: The Chief Information Security Of\xef\xac\x81cer, Bureau of Informa-\n      tion Resource Management, should work with systems owners to accomplish the\n      following:\n           \xe2\x80\xa2 \t Record systemic security weaknesses identi\xef\xac\x81ed through the iPost/Site Scor-\n               ing process as Plan of Action and Milestones (POA&M) actions to ensure\n               the weaknesses are tracked, prioritized, and remediated;\n           \xe2\x80\xa2 \t Report POA&M actions on a quarterly basis for sites that have low scores,\n               requiring them to raise those scores.\n           \xe2\x80\xa2 \t Report POA&M actions for risk covered by iPost scoring \xe2\x80\x9cexceptions.\xe2\x80\x9d\n    Recommendation 6: The Chief Information Security Of\xef\xac\x81cer, Bureau of Informa-\n      tion Resource Management, should work with systems owners to implement the\n      following:\n\n           \xe2\x80\xa2 \t Coordinate with systems owners to develop a method that ensures that each\n               systems owner provides timely and complete updates to the Plan of Action\n               and Milestones (POA&M) databases and to relevant of\xef\xac\x81cials, including the\n               Bureau of Information Resource Management, Of\xef\xac\x81ce of Information As-\n               surance (IA), on a regular basis (Recommendation 4 in the FY 2008 FISMA\n               report).\n\n           \xe2\x80\xa2 \t Ensure that IA management implements a process to validate information\n               in the Department of State POA&M database and performs a quality review\n               on the Corrective Action Plan report before it is submitted to the Of\xef\xac\x81ce of\n               Management and Budget.\n\n    Recommendation 7: The Chief Financial Of\xef\xac\x81cer, Bureau of Information Resource\n      Management and systems owners should work together to develop, publish, and\n      implement detailed standard operating procedures (SOP) for addressing informa-\n      tion technology (IT) audit-related weaknesses and \xef\xac\x81ndings. These SOPs should\n      de\xef\xac\x81ne the following:\n\n          \xe2\x80\xa2 \t Clear objectives and criteria on what should be actionable and tracked in the\n              Of\xef\xac\x81ce of Information Assurance Plan of Action and Milestones (POA&M)\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   35 .\n\n\n                                             UNCLASSIFIED\n\x0c                                    UNCLASSIFIED\n\n\n\n              Department of State database and how duplicated \xef\xac\x81ndings or \xef\xac\x81ndings that\n              include business processes and multiple bureaus should be addressed in a\n              collaborative effort among various parties.\n\n           \xe2\x80\xa2 \t Responsibilities for each functional area in reviewing the \xef\xac\x81ndings or recom-\n               mendations or notices of potential \xef\xac\x81ndings and turning them into action-\n               able items to include root cause analyses, proposed actionable solutions,\n               responsible parties for implementing the solutions, and milestones/tasks,\n               including reasonable, scheduled completion dates, before they are imported\n               into the POA&M Department database.\n\n       Recommendation 8: The Director of the Foreign Service Institute and the Direc-\n         tor of the Of\xef\xac\x81ce of Computer Security, Bureau of Diplomatic Security should:\n            \xe2\x80\xa2 \t Implement methods to globally enforce the security awareness policies to\n                suspend a user\xe2\x80\x99s access if the Cyber Security Awareness Course is not taken\n                within 10 days of access to the Department of State Network or annually\n                by the employee\xe2\x80\x99s anniversary date.\n            \xe2\x80\xa2 \t Enhance already existing connectivity between Active Directory (AD) and\n                the Course so that each time a user is created in AD, the user\xe2\x80\x99s identi\xef\xac\x81cation\n                is also registered in the Cyber Security database per Diplomatic and Con-\n                sular Posts telegram ALDAC 087187 and Department Notice 2008_08_060.\n            \xe2\x80\xa2 \t Provide additional monitoring tools for the Information Systems Security\n                Of\xef\xac\x81cers to ensure user compliance with established policies.\n       Recommendation 9: The Bureau of Diplomatic Security Assistant Director of\n         Training, the Bureau of Information Resource Management Chief Information\n         Security Of\xef\xac\x81cer, and bureau systems owners should work together to:\n           \xe2\x80\xa2 \t Improve methods to identify individuals with signi\xef\xac\x81cant security responsi-\n               bilities;\n           \xe2\x80\xa2 \t Notify these individuals, including employees, supervisors, managers, and\n               executives, of their role-based training requirement;\n           \xe2\x80\xa2 \t Monitor compliance with the training requirements;\n           \xe2\x80\xa2 \t Provide management with reports that show compliance with the training\n               requirement; and\n           \xe2\x80\xa2 \t Modify the Student Training Management System to capture other training\n               programs, such as those paid for by the Department, to meet Continuing\n               Professional Education requirements (for example, CISSP designation).\n\n\n\n\n36 .            OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                    UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n\n                                        ABBREVIATIONS\n\n    AD                             Active Directory\n    ATO                            Authority to Operate\n    C&A                            certi\xef\xac\x81cation and accreditation\n    CA                             Bureau of Consular Affairs\n    CAP                            Corrective Action Plan\n    cdits                          Consular Data Information Transfer System\n    CFO                            Chief Financial Of\xef\xac\x81cers\n    CIO                            Chief Information Of\xef\xac\x81cer\n    CISO                           Chief Information Security Of\xef\xac\x81cer\n    CIRT                           Computer Incident Response Team\n    CM                             Con\xef\xac\x81guration Management\n    CNSS                           Committee on National Security Systems\n    CP                             Contingency Plan\n    CPE                            Continuing Professional Education\n    Department                     Department of State\n    DS                             Diplomatic Security\n    FAM                            Foreign Affairs Manual\n    FIPS                           Federal Information Processing Standards\n    FISMA                          Federal Information Security Management Act of 2002\n    IA                             Of\xef\xac\x81ce of Information Assurance\n    IDS                            Intrusion Detection Systems\n    IG                             Inspector General\n    IRM                            Information Resource Management\n    IRM/IA                         Of\xef\xac\x81ce of Information Assurance, IRM\n    ISA                            Interconnection Security Agreement\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   37 .\n\n\n                                             UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n\n\n       ISSO                    Information System Security Of\xef\xac\x81cers\n       IT                      information technology\n       NIST                    National Institute of Standards and Technology\n       MOU/MOA                 Memorandum of Understanding/Agreement\n       OIG                     Of\xef\xac\x81ce of Inspector General\n       OMB                     Of\xef\xac\x81ce of Management and Budget\n       OpenNet                 Department of State internal network (intranet)\n       OPM                     Of\xef\xac\x81ce of Personnel Management\n       PIA                     Privacy Impact Assessment\n       PII                     Personally Identi\xef\xac\x81able Information\n       POA&M                   plan of action and ,ilestones\n       PTA                     Privacy Threshold Analysis\n       RM                      Bureau of Resource Management\n       SAR                     System Accreditation Report\n       SCAP                    Security Control Assessment Plan\n       SCF                     System Categorization Form\n       SMS                     Systems Management Server\n       SP                      Special Publication\n       SSP                     System Security Plan\n       US-CERT                 United States Computer Emergency Readiness Team\n\n\n\n\n38 .             OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                     UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n\n                                         APPENDIX A\n\n\n\nSCOPE AND METHODOLOGY\n     The scope of the review was limited to the Inspector General\xe2\x80\x99s reporting categories (as\nlisted) and questions included in Of\xef\xac\x81ce of Management and Budget (OMB) Memorandum\nM-09-29, FY 2009 Reporting Instructions for the Federal Information Security Management Act and\nAgency Privacy Management, August 20, 2009. The reporting categories included the follow-\ning:\n           \xe2\x80\xa2 Inventory\n           \xe2\x80\xa2 Certi\xef\xac\x81cation and Accreditation (C&A), Security Controls Testing, and\n             Contingency Plan Testing\n           \xe2\x80\xa2 Evaluation of Agency Oversight of Contractor Systems and Quality of\n             Agency Inventory\n           \xe2\x80\xa2 Evaluation of the Agency\xe2\x80\x99s Plan of Action and Milestones (POA&M) Pro-\n             cess\n           \xe2\x80\xa2 Inspector General (IG) Assessment of the C&A Process\n           \xe2\x80\xa2 IG Assessment of the Agency\xe2\x80\x99s Privacy Program and Privacy Impact\n             Assessment (PIA) Process\n           \xe2\x80\xa2 Con\xef\xac\x81guration Management\n           \xe2\x80\xa2 Incident Reporting\n           \xe2\x80\xa2 Security Awareness Training\n           \xe2\x80\xa2 Peer-to-Peer File Sharing\n\n\n    The review team conducted this review in accordance with OMB guidance and Federal\nInformation Security Management Act of 2002 (FISMA) recommendations, which re-\nquired that the team plan and perform the review to obtain suf\xef\xac\x81cient, appropriate evidence\nto provide a reasonable basis for its \xef\xac\x81ndings and conclusions based on the review objec-\ntives. To accomplish this, the review team did the following:\n           \xe2\x80\xa2\t      Reviewed prior FISMA reports and their supporting work papers.\n           \xe2\x80\xa2\t      Interviewed Department of State Information System management to gain\n                   an understanding of the policies, procedures, and controls used to imple-\n                   ment FISMA and OMB guidelines.\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009     39 .\n\n\n                                             UNCLASSIFIED\n\x0c                                    UNCLASSIFIED\n\n\n\n\n               \xe2\x80\xa2     Reviewed policies and procedures posted on the Department\xe2\x80\x99s intra-\n               net, OpenNet.\n               \xe2\x80\xa2     Documented its understanding of the environment.\n               \xe2\x80\xa2     Obtained third quarter inventory records. Made a judgmental selec-\n               tion of 23 systems for the in-scope FY 2009 testing. The sample of 23\n               consisted of 18 systems from the previous year (FY 2008) and \xef\xac\x81ve new\n               systems from the current year that may have interfaces with other systems\n               and contain personally identi\xef\xac\x81able information.\n               \xe2\x80\xa2     Obtained and analyzed supporting evidence from management to\n               determine whether the policies, procedures, and controls implemented\n               operated effectively during the \xef\xac\x81scal year.\n               \xe2\x80\xa2     Obtained and analyzed evidence to determine whether management\n               had implemented corrective actions to close prior years\xe2\x80\x99 audit \xef\xac\x81ndings and\n               recommendations.\n           During the review, the review team documented and communicated to manage-\n       ment issues identi\xef\xac\x81ed through Notices of Potential Finding and Recommendations.\n       These notices were communicated to the Department management, who concurred\n       with all of them.\n\n\n\n\n40 .            OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                    UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n\n                                          APPENDIX B\n\n\n\n    FOLLOW-UP OF RECOMMENDATIONS FROM THE FY 2008 FISMA\n    REPORT\n         The review team reviewed actions implemented by management to mitigate the\n         control gaps identi\xef\xac\x81ed in the FY 2008 FISMA report. The current status of\n         each of those recommendations is as follows:\n\n         Recommendation 1: The Chief Information Of\xef\xac\x81cer should reschedule annual\n         inventory data call activities to allow suf\xef\xac\x81cient time to complete the analysis of\n         pending items prior to the annual FISMA review.\n\n         2009 Status \xe2\x80\x93 Closed. Inventory analysis started in November 2008, with quarterly updates\n         performed in 2009.\n\n         Recommendation 2: The Chief Information Of\xef\xac\x81cer should ensure that system\n         owners are provided with improved guidance for properly identifying contractor-\n         owned or -operated systems and how to report them for systems inventory\n         purposes.\n\n         2009 Status \xe2\x80\x93 Closed. Improved guidance was provided in inventory ToolKits, and follow-up\n         was performed by the Bureau of Information Resource Management, Of\xef\xac\x81ce of Information\n         Assurance.\n\n         Recommendation 3: The Chief Information Of\xef\xac\x81cer should ensure that nation-\n         al security systems are properly classi\xef\xac\x81ed and accounted for by the Bureaus of\n         Information Resources Management and Diplomatic Security in their respective\n         Federal Information Security Management Act inventories.\n\n         2009 Status \xe2\x80\x93 Closed. Only one national security system was found in the wrong inventory\n         system during an analysis of the inventory systems. This was not an exception.\n\n         Recommendation 4: The Chief Information Of\xef\xac\x81cer should coordinate with\n         systems owners to develop a method to ensure that each systems owner provides\n\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009        41 .\n\n\n                                             UNCLASSIFIED\n\x0c                                   UNCLASSIFIED\n\n\n\n\n       timely and complete updates to plans of action and milestones databases and relevant\n       of\xef\xac\x81cials, including the Bureau of Information Resource Management, Of\xef\xac\x81ce of Infor-\n       mation Assurance, on a regular basis.\n\n       2009 Status \xe2\x80\x93 This is a repeat recommendation from the FY 2008 report. It has become Recommen-\n       dation 6 in the FY 2009 report.\n\n       Recommendation 5: The Chief Information Of\xef\xac\x81cer should develop and test system\n       connection agreement control (NIST SP 800-53 control CA-3) between Department\n       system owners and external connection system owners to serve as a compensating con-\n       trol for systems security plan testing.\n\n       2009 Status \xe2\x80\x93 Partially implemented. This recommendation was combined with Recommendation 10,\n       which was also partially implemented, and has become Recommendation 2 in the FY 2009 report.\n\n       Recommendation 6: The Chief Information Of\xef\xac\x81cer should review the security con-\n       trol testing program to ensure that all critical controls are identi\xef\xac\x81ed and tested at least\n       annually for high and moderate risk systems.\n\n       2009 Status \xe2\x80\x93 Partially implemented. This recommendation has become Recommendation 1 in the\n       FY 2009 report.\n\n       Recommendation 7: The Chief Information Of\xef\xac\x81cer should update its policy on con-\n       tingency planning to require that contingency plan test results be incorporated into an\n       updated system contingency plan.\n\n       2009 Status \xe2\x80\x93 Partially implemented. This recommendation was combined with Recommendation 8,\n       which was also partially implemented, and has become Recommendation 3 in the FY 2009 report.\n\n       Recommendation 8: The Chief Information Of\xef\xac\x81cer should provide guidance to sys-\n       tem owners to ensure that contingency plan test results are adequately documented and\n       incorporated, as needed, into the plans of action and milestone process.\n\n       2009 Status \xe2\x80\x93 Partially implemented. This recommendation was combined with Recommendation 7,\n       which was also partially implemented, and has become Recommendation 3 in the FY 2009 report.\n\n       Recommendation 9: The Chief Information Of\xef\xac\x81cer should develop and document\n       a process for management and oversight of contractor-owned and/or -operated infor-\n       mation systems. This documented process should include, at a minimum, the process\n       for identifying and describing the interconnectivity between contractor systems and the\n       Department.\n\n\n\n42 .           OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                                   UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n   2009 Status \xe2\x80\x93 Closed. Improved guidance was provided in inventory Toolkits and follow-up was per-\n   formed by the Bureau of Information Resource Management, Of\xef\xac\x81ce of Information Assurance.\n\n   Recommendation 10: The Chief Information Of\xef\xac\x81cer should develop and maintain\n   Interconnection Security Agreements and Memoranda of Understanding/Agreements\n   in System Security Accreditation \xef\xac\x81les.\n\n   2009 Status \xe2\x80\x93 Partially implemented. This recommendation was combined with Recommendation 5,\n   which was also partially implemented, and has become Recommendation 2 in the FY 2009 report.\n\n   Recommendation 11: The Chief Information Of\xef\xac\x81cer should establish a process to\n   monitor and validate security awareness training provided to those individuals without\n   access to Department networks.\n\n   2009 Status \xe2\x80\x93 Open.\n\n\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009          43 .\n\n\n                                             UNCLASSIFIED\n\x0c                           UNCLASSIFIED\n\n\n\n\n\n44 .   OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                           UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n\n                                          APPENDIX C\n\n\n\n    BUREAU OF INFORMATION RESOURCE MANAGEMENT RESPONSE\n\n\n\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   45 .\n\n\n                                             UNCLASSIFIED\n\x0c                           UNCLASSIFIED\n\n\n\n\n\n46 .   OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                           UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   47 .\n\n\n                                             UNCLASSIFIED\n\x0c                           UNCLASSIFIED\n\n\n\n\n\n48 .   OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                           UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   49 .\n\n\n                                             UNCLASSIFIED\n\x0c                           UNCLASSIFIED\n\n\n\n\n\n50 .   OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                           UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   51 .\n\n\n                                             UNCLASSIFIED\n\x0c                           UNCLASSIFIED\n\n\n\n\n\n52 .   OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                           UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   53 .\n\n\n                                             UNCLASSIFIED\n\x0c                           UNCLASSIFIED\n\n\n\n\n\n54 .   OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                           UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   55 .\n\n\n                                             UNCLASSIFIED\n\x0c                           UNCLASSIFIED\n\n\n\n\n\n56 .   OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                           UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\n\nOIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009   57 .\n\n\n                                             UNCLASSIFIED\n\x0c                           UNCLASSIFIED\n\n\n\n\n\n58 .   OIG Report No. AUD/IT-10-10, Review of the Information Security Program at the DOS - Nov 2009\n\n\n                           UNCLASSIFIED\n\x0cFRAUD, WASTE, ABUSE, OR MISMANAGEMENT\n              of Federal programs\n\n         and resources hurts everyone. \n\n\n        Call the Office of Inspector General \n\n                     HOTLINE \n\n                    202-647-3320\n\n                 or 1-800-409-9926 \n\n          or e-mail oighotline@state.gov \n\n       to report illegal or wasteful activities.\n\n               You may also write to\n            Office of Inspector General\n             U.S. Department of State\n               Post Office Box 9778\n               Arlington, VA 22219\n            Please visit our Web site at:\n                http://oig.state.gov\n\n         Cables to the Inspector General\n        should be slugged \xe2\x80\x9cOIG Channel\xe2\x80\x9d\n            to ensure confidentiality.\n\x0c'